Preface

The Global Interlock System (GIS) Design represents a challenge in that its design is in parallel with (and in some cases before) the designs of the systems it is meant to safeguard. Without completed designs and hazard analyses, the safety functions that the GIS are to implement cannot be completely defined.

The design of the Global Interlock System has been separated into two main portions. There is the hardware design, the GIS Architecture, which is the subject of this design document. The second portion is the software design, the GIS Functional Description, which is handled in another design document (SPEC-0140).

The reason for this separation is that the hardware design has been developed and is well understood. The GIS Functional Design requires the completion of subsystem designs, hazard analyses, and risk assessments.

In order to not delay development and construction of the GIS Architecture, the two portions have been separated.

The hardware architecture has been designed with the premise of flexibility, expandability, and programmability as basic considerations. This lends itself well to being adaptable to any safety function that may need to be implemented.

Introduction

Purpose

This document provides the basis of design for the architecture of the ATST Global Interlock System (GIS). The design of the GIS is provide in two main sections, the architecture which describes the hardware and interfaces of the system; and the functional design which covers design and implementation of the safety-related control functions.

Related and Reference Documents

The following documents form a part of this Specification. Any other documents referenced in any of these documents also form a part of the Specification.

Related Documents

ATST Specification Documents

The following documents contain information applicable to the design of the ATST Global Interlock System.

·        SPEC-0013, Software Operational Controls Definition Document

·        SPEC-0022, ATST Common Services Users’ Manual

·        SPEC-0041, ATST Spares Policy

·        SPEC-0046, Global Interlock System Design Specification

·        SPEC-0061, ATST Hazard Analysis Plan

·        SPEC-0070, General Specifications for the Design and Fabrication of ATST

·        SPEC-0140, Global Interlock System Functional Description

·        SPEC-0141, Global Interlock System Operational Concepts Description

ATST Interface Control Documents

The Global Interlock System shall meet the requirements of the following interface control documents:

·        SPEC-0063, Interconnects and Services

·        ICD 1.1-4.5 , Telescope Mount Assembly to Global Interlock System

·        ICD 1.2-4.5 , M1 Assembly to Global Interlock System

·        ICD 1.3-4.5 , TEOA to Global Interlock System

·        ICD 1.5-4.5 , Feed Optics to Global Interlock System

·        ICD 2.1-4.5 , Wave Front Control-Coudé to Global Interlock System

·        ICD 3.0-4.5, Instruments to Global Interlock System

·        ICD 3.1.1-4.5, Polarimetry Analysis and Calibration to Global Interlock System

·        ICD 3.1.2-4.5, Master Clock and Synchro Network to Global Interlock System

·        ICD 3.1.3-4.5, Coudé Station to Global Interlock System

·        ICD 3.2-4.5, Visible Broadband Imager to Global Interlock System

·        ICD 3.3-4.5, Visible Spectro-polarimeter to Global Interlock System

·        ICD 3.4.1-4.5, Diffraction Limited Near-IR Spectropolarimeter to Global Interlock System

·        ICD 3.4.2-4.5, Cryogenic Near-IR Spectropolarimeter to Global Interlock System

·        ICD 3.5-4.5, Visible Tunable Filter to Global Interlock System

·        ICD 3.6-4.5, Camera Systems to Global Interlock System

·        ICD 4.2-4.5 , Observatory Control System to Global Interlock System

·        ICD 4.5-5.0 , Global Interlock System to Enclosure

·        ICD 4.5-6.0, Global Interlock System to Support Facility and Buildings

·        ICD 4.5-6.7 , Global Interlock System to Facility Thermal Systems

ATST Reference Design Studies and Analyses

·        TN-0055, Global Interlock System Design

ATST Drawings

·        ATST-DWG-00065, Global Interlock System Configuration

Reference Documents

ATST Documents

·        PMCS-0023, Requirements Definition

·        SPEC-0002, Document and Drawing Control Plan

·        SPEC-0012, ATST Acronym List and Glossary

National Consensus Standards

·        ANSI/RIA R15.06-1999, American National Standard for Industrial Robots and Robot Systems – Safety Requirements

·        NFPA 79, Electrical Standard for Industrial Machinery, 2007 Edition

International Standards

·        ISO 13849, Safety of Machinery—Safety-related parts of control systems

·        IEC 61508, Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems

·        IEC/EN 62061, Safety of machinery: Functional safety of electrical, electronic and programmable electronic control systems

Industry Standards

·        ANSI/TIA/EIA 568-B, Commercial Building Telecommunications Cabling Standard

Glossary

See SPEC-0012, ATST Acronym List and Glossary, for terms not listed below.

Global Interlock System

Overview

The GIS is not a single device instead, the GIS is a distributed group of devices working together to form an overall safety system. These devices are safety-rated Allen-Bradley GuardLogix® Programmable Automation Controllers (PAC) and safety-rated Guard I/O modules. Communication throughout the GIS is conducted over a redundant independent safety network. This network communication utilizes a network-independent safety protocol, which has been certified for use in SIL3-rated applications.

Each ATST subsystem is associated with one safety PAC. In this document the safety PAC associated with a single subsystem will be referred to as a Local Interlock Controller (LIC).  Safety-rated sensors, such as limit switches or emergency stop switches of a subsystem are connected to the subsystem’s associated LIC through safety-rated I/O blocks.

Information from all subsystems is sent to a centralized controller, the Global Interlock Controller (GIC), which determines the safety interrelationship of other subsystems. Based on safety function requirements, the GIC sends appropriate messages to other LICs.

As a system, all the LICs of the GIS work together coordinating safety function through the GIC. As subsystems, each LIC must be able to maintain safety of its associated subsystem independently, such as in the event of a loss of communications.

The GIC is also responsible for informing the Observatory Control System (OCS) of the status of the entire GIS. The OCS may disseminate this status information as desired; however, this information is for status purposes only and under no circumstances does the GIS rely on any action being taken based on the status given to the OCS. The OCS does not have any input influence on the GIS.

The GIC interacts with the operators via a touch screen Human Machine Interface (HMI). An alarm handler will display the state of any interlocks... The HMI will also provide the status of the GIC, safety network, LICs, and safety I/O. The HMI will have engineering screens containing diagnostic information for troubleshooting of the GIS. Resetting of safety functions is performed via the HMI using password-protected access.

In addition to prescribed safety functions, as part of the GIS, the Emergency Stop System (ESS) is distributed throughout the facility to provide a complementary safety stop function. The ESS provides devices to allow for an operator-initiated panic stop. The ESS is configured in such a manner to immediately shut down hazardous motion, remove any potentially hazardous energy from controlled devices, and put the facility into a safe state.

Any one of the emergency stop devices, within the ESS, when activated, affects all globally distributed controlled devices causing appropriate interlocks to be applied. The emergency stop devices are monitored at the local level (by a LIC) which in turn is monitored at the global level (GIC). Monitoring of the emergency stops through the local controllers enables the GIS to pinpoint the emergency stop which was activated.

The GIS allows future changes because it is a programmable, distributed, modular system. As new hazards are identified the GIS can easily implement new safety functions. The system can be readily expanded as needed.

Distribution of GIC and LICs

The GIC is to be located in an easily accessible, centralized location. Initial consideration of GIC placement is on the Utility level of the pier. Communications with the GIC is through fiber optic pairs as specified in SPEC-0046.

The LICs are distributed throughout the facility, within or near the controllers of their respective subsystem. There are seven LICs and one GIC. The distribution of LICs and GIC is shown in Figure 2‑1 and Figure 2‑2.

Subsystems requiring a LIC within the ATST are as follows:

1. Optical Support System (OSS)

   1. Top End Optical Assembly (TEOA)

   2. M1 Assembly

   3. Feed Optics

   4. Polarization Analysis and Calibration (PAC)

2. Mount Base

   1. Telescope Mount Assembly

3. Coudé Rotator

   1. Coudé Drive Controller

   2. Coudé Environmental Systems

4. Instrumentation

   1. Wave Front Controller

   2. Visible Broadband Imager

   3. Visible Spectropolarimeter

   4. Diffraction Limited Near-IR Spectropolarimeter

   5. Cryogenic Near-IR Spectropolarimeter

   6. Visible Tunable Filter

   7. Camera System

5. Facility Thermal System

   1. Facility Thermal Control System

6. Enclosure Motion

   1. Enclosure Motion Control

7. Facilities

   1. Facility Equipment

Independent Safety Network

The GIS is a distributed safety system of programmable controllers and associated distributed I/O modules, connected by an independent safety network. The Independent Safety Network is an integral part of the GIS and is provided as part of the GIS. All components of the GIS will connect to the Independent Safety Network.

The GIS communicates using the CIP Safety protocol, a set of integrated safety services on top of the communications stacks of the standard Common Industrial Protocol (CIP). The CIP Safety protocol is a network Independent protocol. CIP Safety is TÜV approved for use in certified Safety Integrity Level (SIL) 3 applications according to the IEC 61508 standard.

The GIS will use CIP Safety over EtherNet/IP (Ethernet Industrial Protocol). This will allow the use of common Ethernet technology, which allows for a flexible network architecture and differing media as needed. The Independent Safety Network is standard IEEE 802.3 Ethernet at the Physical and Data Link Layers.

The Network and Transport Layers utilize both Transmission Control Protocol/Internet Protocol (TCP/IP) and UDP over IP. TCP/IP encapsulates the standard CIP messages that are used for explicit (client-server) messages. For real-time messaging, such as I/O, EtherNet/IP uses UDP.

Ethernet/IP is an application layer protocol which uses the producer-consumer data exchange model, which provides more efficient use of network resources because data can be transmitted once to multiple destinations.

Physical Layer and Data Link Layer

The Independent Safety Network consists of nine managed network switches (Stratix 8300). These switches are physically connected in a redundant ring topology using 1 GB fiber optic cables (1000Base-SX). This limits any single segment to a maximum length of 550 meters (1787 ft.). Dual LC connectors are used at each switch.

Connections between the switches and the LICs as well as distributed I/O will be CAT5e (or higher category) (100Base-TX). This limits any single segment to a maximum length of 100 meters (328 ft.). If a longer segment is required or there is a need for improved noise immunity, the system will use EtherNet/IP taps with embedded switches and fiber optic media (100Base-FX). This limits any single segment to a maximum length of 412 meters (1352 ft.) if configured for half-duplex operation or a maximum length of 2000 meters (6562 ft.) if configured for full duplex operation.

To provide network segmentation each subsystem will be separated into a Virtual LAN (VLAN). Each subsystem of the ATST facility will connect to the GIS through a Local Interlock Controller (LIC). Each LIC and its associated distributed I/O modules will be part of a separate virtual LAN (VLAN). The LIC is a necessary element of a subsystem to provide safety interlocked control; however, it is also an integral part of the GIS.

The managed switch that connects to the GIC also functions as a Layer 3 router to allow communications across VLANs. This arrangement allows the distributed I/O to connect to any network switch in the GIS while reducing the traffic on each network segment.

The connection of a subsystem’s safety I/O modules to its associated LIC is the interface between that subsystem and the GIS. For each ATST subsystem there is an Interface Control Document (ICD) describing the connections to the LIC (see 2).

The EtherNet/IP network uses IEEE Std 802.3 standard protocols.

Network Layer and Transport Layer

The Network and Transport Layers utilize both Transmission Control Protocol/Internet Protocol (TCP/IP) and UDP over IP. TCP/IP encapsulates the standard CIP messages that are used for explicit (client-server) messages. For real-time messaging, such as I/O, EtherNet/IP uses UDP.

Session, Presentation, and Application Layers

Ethernet/IP is an application layer protocol which uses the producer-consumer data exchange model, which provides more efficient use of network resources because data can be transmitted once to multiple destinations.

CIP safety protocol is an end-node to end-node safety protocol. Each segment of the Independent Safety Network that contains safety I/O modules will be assigned a unique Safety Network Number (SNN). The SNN is used in combination with the node address of the safety device to form a unique node reference. The SNN is used to prevent errors from non-certified bridges, switches, or routers causing unsafe conditions.

Network Security

Because of the critical nature of the GIS as a safety-related control system it is vital to maintain strong network security.

Only components of the GIS network will be connected. This will be limited by the network switches which will only allow authorized devices to communicate on the GIS safety network.

The outward facing side of the network will be protected by a Stratix 5900 Network Services Router (see section 4.2.2).

Configuration and management changes will be password protected.

Global Interlock Controller (GIC)

Within the distributed GIS, there is only the one Global Interlock Controller (GIC). The GIC will be programmed as a centralized PAC that monitors all the LICs status. It is through the GIC that subsystem responses are recognized, coordinated and distributed. It is the responsibility of the GIC to inform all other LICs of global safety responses. The GIC shall produce the necessary signals to corresponding LICs requiring their subsystem’s action. It is also the responsibility of the GIC to send, on a separate network, the status information of the GIS to the OCS. This will be done at no less than a 1 Hz update rate.

The GIC consists of a chassis (1756-A7) with seven slots. The chassis also contains the backplane that is used for power and signal distribution among the modules installed in the rack. Redundant AC power supplies (1756-PA75) suitable for SIL3 applications are also included.

The GIC has a primary controller (1756-L63S) and a safety partner controller (1756-LSP). These two modules work in a one-out-of-two (1oo2) configuration to function as a SIL-3 capable controller.

The primary controller performs both standard and safety related control functions. To satisfy SIL3 requirements a second co-processor provides redundancy for safety related control functions.

Communications over the Independent Safety Network is handled by an Ethernet Bridge Module (1756-EN2T). Communications with the OCS host are over a fiber-optic Ethernet Bridge module (1756-EN2F). Because of design of the CIP Safety protocol, bridge devices are not required to be SIL-3 certified.

Functions of the Global Interlock Controller

The Global Interlock Controller (GIC) has two main functions within the GIS:

• It provides the global safety functions between all subsystems.

• It provides the status of the entire GIS to the OCS and all HMI

Communication with the GIC

Two separate networks are connected to the GIC.

Independent Safety Network

A facility safety network is one of the two connections that, through the use of a safety protocol on Ethernet, enable the GIC to communicate directionally with all LICs. This network is the main ATST safety network and is not directly accessible except by the safety controllers and distributed safety I/O within the GIS.

Observatory Communication Network

The second network to the GIC connects the GIS to the Observatory Communication Network via Ethernet using TCP/IP. This connection provides a one way passage of status information from the GIS to the OCS. The OCS may then distribute this information as necessary to various subsystems and displays for the operators.

This connection is made via a Stratix 5900 Service Router. This router provides secure routing and firewall capabilities to effectively isolate the GIS from the site-wide Observatory Communications Network. The router will only allow communications required to pass from the GIS to/from the Observatory Communications Network.

Details of the interface are contained in ICD 4.2-4.5, Observatory Control System to Global Interlock System.

Timing Requirements

CIP Safety requires that the individual messages be time-stamped. This is handled by CIP Sync which automatically synchronizes the various controllers’ real-time clocks. CIP Sync uses an implementation of IEEE 1588, Precision Time Protocol (PTP). This is sufficient to ensure the system operates properly even with a ‘hand set’ time. Safety does not rely on an outside time source.

The real-time clocks will be synchronized to within 100 milliseconds with the Time Reference And Distribution System (TRADS), so that logs can be correlated across the various systems in the ATST facility.

The ControlLogix 1756-ENT2 Ethernet modules and Stratix 8300 Managed Ethernet Switches distribute time information throughout the network.

Time Synchronization Module

The 1756HP-TIME module is configured to be the GIS Grandmaster Clock for distribution of timing with sub-microsecond absolute accuracy. This module contains an onboard GPS receiver to synchronize directly with GPS time or can be slaved to another IEEE-1588 time source The GIS Grandmaster Clock will synchronize the observatory-wide Time Reference and Distribution System (TRADS)

Future Expansion Capabilities

Because of the expected lifetime of the system and the likelihood of increasing connectivity within the ATST facility with more experience operating the system, allowances will be made for expansion modules in the GIC rack. Three possible expansion modules are listed below.

FactoryTalk Historian Module

The FactoryTalk Historian Module (1756-HIST) provides embedded high-speed data collection.

Web Server Module

Installation of a Web Server Module (1756-EWEB) would allow Web browser access to embedded module/network diagnostic Web pages or enable e-mail notification of critical system events.

Local Interlock Controller (LIC)

The basic building block of the GIS is the Local Interlock Controller (LIC). Each subsystem’s safety system is built around a GuardLogix controller and its associated distributed I/O. The LIC provides control reliable safety functions independently from the entire GIS.

The LIC consists of a chassis (1756-A4) with a minimum of four slots. The chassis also contains the backplane that is used for power and signal distribution among the modules installed in the rack. An AC power supply (1756-PA75) suitable for SIL3 applications is also included.

The LIC has a primary controller (1756-L72S or 1756-L62S) and a safety partner controller (1756-L7SP or 1756-LSP). These two modules work in a 1-out-of-2 (1oo2) configuration to function as a SIL3 capable controller. 1oo2 is an architecture where either of the two channels can perform the safety function.

The primary controller performs both standard and safety related control functions. To satisfy SIL3 requirements a second co-processor provides redundancy for safety-related control functions.

Communications over the Independent Safety Network is handled by an Ethernet Bridge Module (1756-EN2TR). Due to design of the CIP Safety protocol, bridge devices are not required to be SIL-3 certified.

Functions of the LIC

Each LIC has the following functions:

• Monitor safety I/O of the subsystem

• Communicate safety-related status of subsystem to the GIC

• Apply interlocks based on safety I/O and status received from GIC

The ControlLogix Chassis may also contain a standard controller that may be used by a subsystem for non-safety related control functions in addition to the safety functions. The GuardLogix processors may also run a standard task that may be used by a subsystem for non-safety related functions. 5.2        Subsystem Interface to the LIC

The various subsystem components are connected to the LIC via remote I/O (specifically POINT I/O modules).  The POINT I/O modules are connected to the LIC via EtherNet. See section 6 I/O Modules.

All safety-related I/O (limits, interlocks, and outputs) of a subsystem are routed to that subsystem’s LIC.

Each VLAN will have a /24 subnet assigned from the private IPv4 address space. No device will be assigned to the default VLAN or the default address space 192.168.1.0/24 as a security measure.

Compatibility within Global Interlock System

All LICs and the GIC are GuardLogix-compatible PAC and programmed with the specified software using a common syntax of tags and safety function blocks. The tags will have a naming convention of (major_minor_component_signal) and a type defined. An example of this is (OSS_TEOA_Heatstop_CoverOpened) with a type of BOOL (binary) representing the TEOA Heatstop cover in the fully open position. See the respective subsystem ICDs for tag names of each subsystem.

The LIC connectivity to the safety network as well as the GIC connectivity utilizes the same type of network bridge module. The backplane for each LIC will typically be 4-slots (1756-A4). The power supplies used for the LIC will all be the same type (1756-PA75).

In order to maintain compatibility and safety consistency throughout the GIS and across all the ATST subsystems, the LIC shall be controlled by a dual processor solution consisting of GuardLogix, Allen-Bradley Safety PAC (1756-L61S and 1756-LSP).

Integration with Subsystem Control

In many cases a ControlLogix solution may be used as the subsystem’s controller, in which case the GuardLogix PAC may be integrated into the subsystem directly. In cases where a subsystem’s controller is not ControlLogix based the LIC will be self-contained. Subsystems’ safety I/O will be routed through the appropriate Guard I/O safety modules. Subsystems’ general I/O will be routed through a separate network. The standard and safety control systems are independent entities; IEC 61508 allows either physical separation or logic separation.

This ControlLogix Integrated Safety solution provides:

• Dual Processor Solution (1oo2 Architecture)

• SIL-3 Certification per IEC 61508

• EN 954-1 Category 4

• Programs with RSLogix5000

• Certified Safety Application Instructions

Match Those in the GuardLogix Product Family

• CIP Safety on EtherNet Connectivity

Figure 3‑5 shows an example of an integrated solution using a GuardLogix PAC and other ControlLogix components. To reduce the load on the Independent Safety Network, each subsystem will provide independent networks for non-safety related communications.

If a subsystem uses a ControlLogix platform the LIC GuardLogix modules may be co-located in the same rack as the subsystem controller. If this method of integration is used the designers and builders shall size the power supply to accommodate this load in addition to the power supply requirements of the subsystem controller. See Figure 3‑6.

This controller shall be connected to the ATST facility UPS. All interlocks are de-energize-to-trip functions, so that even a loss of power will result in a safe condition.

Connected Devices

The safety interlocks connected to the safety I/O modules are wired in a fail-safe manner. (i.e. power removal, connector removal, broken connection, will constitute a failure initiating an interlock condition.)

The safety interlocks are to act independent of any other operational systems.

Devices connected to the distributed I/O modules shall be suitable for use in a safety function.

Distributed I/O modules

The actual distributed I/O modules are part of the subsystem rather than the GIS. The subsystem designers and builders are responsible for supply of the safety I/O modules and the connectivity of the Safety Limits and Safety Interlocks to said modules. Wiring of the Safety Limits and Safety Interlocks shall be performed according to the current version of the appropriate Rockwell Automation User Manual.

Common features of the distributed I/O modules are that they provide integrated pulse test outputs that have the ability to detect short-circuits to 24V_DC or 0V (GND); wire continuity; or discrepancy of dual channel circuitry. The modules are suitable and TÜV-certified for use in SIL3/CAT 4 applications.

There are currently two types of distributed I/O modules that be used in the GIS: CompactBlock Guard I/O and POINT Guard I/O.

CompactBlock Guard I/O Safety Modules

The CompactBlock Guard I/O is a single block of inputs, outputs, or inputs/outputs.

POINT Guard I/O Modules

The POINT I/O family consists of modular components. Each component snaps together and mounts onto a DIN rail to form the POINT I/O system. The POINT I/O is expandable, and can be configured for safety or standard I/O in the same chassis. The I/O modules are interfaced to a network through a communication interface. POINT Guard I/O modules communicate by using CIP Safety protocol over EtherNet/IP for GuardLogix controllers

Figure 6‑1 Example POINT I/O Chassis show an example POINT I/O chassis and associated power supply. The chassis consists of a network interface adapter, two safety input modules and a single safety output module.

Each POINT Guard input module contains 8 single-channel or 4 dual-channel safety inputs plus 4 test pulse outputs.

Each POINT Guard output module contains 8 single-channel or 4 dual-channel safety outputs plus 4 test pulse outputs.

In the event that more than 250 EtherNet/IP connections are needed by a specific LIC, additional Ethernet Interface cards may be added to the LIC backplane. This may also require the increase in size of the standard LIC backplane.

7                Human-Machine Interface

Operator interaction with the GIS will be via touch screen graphical HMI. The information available at the HMI will include current status of all safety functions, status of the emergency stop system, status of the safety network, status of safety controllers and status of the distributed safety I/O.

The HMI displays any alarms from the GIS. The HMI is capable of reading the individual status bits of all connected distributed I/O.

The HMI will be password protected to allow only qualified personnel to perform certain operations. No password will be needed to view alarms or status information of the system and safety functions.

The HMI analyses status from connected components and provide guided help in troubleshooting various failures of the systems as well as provide indications of active interlocks and the corrective action needed to clear them.

The HMI is the only means to reset and clear faults from the system prior to resuming normal operations.

As part of the GIC enclosure, an HMI will be available to display status and aid troubleshooting. The HMI is a touch-screen display (2711P-T12C4A1) of multiple menus.

Figure 7‑1 2711P PanelView Plus Graphic Terminal

Provision will be made to connect a portable HMI at each LIC location for troubleshooting.

The HMI will be programmed in accordance with Abnormal Situation Management (ASM) Guidelines for Effective Operator Display Design. This includes display content, layout, navigation, use of color, use of text and numbers, use of symbols. Alarm configuration, audible and visual alarm annunciation, on-line guidance, and change management is also covered by these guidelines.

7.1        System Status

The HMI will display the current status of hardware that comprises the GIS. This display will show any faulted or unconnected equipment to allow for rapid troubleshooting. The results of component self-diagnostics will also be displayed.

Part of the status display will show whether there are any I/O forces and that all controllers have valid safety signatures.

General health information about the GIS will also be provided this will include information such as network utilization.

7.2        Safety Function Status

The HMI will also display the current status of all GIS safety functions. The HMI will display which systems are currently interlocked (tripped) or faulted.

7.3        Operator Control

The HMI will also serve as a central point to acknowledge alarms and to reset trips and faults that occur anywhere in the system. After the operator has verified that the cause of the trip or fault has been rectified the HMI will allow password-controlled access to reset the system and restore operation.

7.4        Engineering Interface

The HMI will be capable of displaying engineering screens that detail hardware status and configuration. These screens will be separate from the user screens and will require password-controlled access.

7.5        Logging

The HMI also provides logging of trips and faults that occur within the system. The logs will be time-stamped to allow for correlation of GIS events with activities within the facility.

7.6        Connection

There will be one HMI permanently mounted with the GIC which will be the typical location for interacting with GIS.

Provision will be made to add a second HMI in the control room for future use.

Provision will also be made to connect an HMI at each LIC location. This will be via the second Ethernet Port on the 1756-ENT2R or open port on the LIC’s associated network switch.

Additional HMI may be installed at any location that has a network connection to the safety network.

Figure 11 Location of GIC and HMI on Utility Level

8                Safety Functions

Safety-related control functions (SRCFs) are the result of a detailed hazard analysis of the equipment under control. After a hazard has been identified that will be mitigated by functional safety, the specification for each safety-related control function will be developed. Each SRCF will comprise of the functional requirements and the safety integrity requirements.

The functional requirements will detail the description of the SRCF, the conditions in which the SRCF shall be active or disabled, the required responses to trips and faults, the timing and priority of responses of the SRCF.

The safety integrity requirement will detail the necessary risk reduction for each SRCF.

Individual safety-related control functions are covered in SPEC-0140, GIS Functional Description.

9                Emergency Stop System

An integral part of the GIS is the emergency stop system (ESS). The purpose of the ESS is to provide a global facility-wide means to disable all hazards and bring the facility to a safe state by a single operator-initiated action.

The ESS is activated by any one of a number of maintained-contact, mushroom-head pushbutton and cable-pull stations distributed at various locations throughout the ATST facility. Each emergency stop device is wired independently to remote safety-rated I/O. Each emergency stop device is associated with the LIC that monitors the subsystem nearest the device. The LIC will respond to any local emergency stop device being activated. In addition the LIC sends the status of the emergency stop devices to the GIC.

The GIC monitors the status of all LICs’ emergency stop devices and sends this status to all LICs. Using this status all LICs will respond to any emergency stop device connected to the ESS being activated.

In the event of any emergency stop device being activated, the GIS overrides all other functions and removes power from all sources of hazardous energy—resulting in a category 0 or category 1 stop as defined by § 9.2.2 of NFPA 79.

The GIC, through the HMI, will provide the status of the ESS as well as providing location of the activated ESS device.

9.1        Operation of the Emergency Stop Function

The emergency stop function is activated by any one of the emergency stop devices. Each of these devices is connected to distributed I/O. Each LIC monitors the emergency stop devices associated with its subsystem. These are mounted on or near the subsystem.

The distributed I/O detects the change in state of the emergency stop device. On the next I/O scan the LIC detects this change of state. The LIC then sends a signal to the GIC and commands a change in state of the various distributed I/O that controls hazardous motion in the subsystem causing all hazardous motion control by that LIC to cease.

The GIC receives the signal from the LIC then sends a signal to all LICs that an emergency stop device has been activated. All LICs receive this signal and like the first LIC sends signals to the various distributed I/O to cease all hazardous motion.

10             Trapped Key System

As part of the GIS, at several locations, trapped key interlocks will be used. Trapped key systems function by requiring that a key or possibly several keys be used to enter a hazardous area or beginning to use equipment that may cause interferences. The only way to obtain the key(s) is by first isolating the source(s) of hazardous energy. This primary key can only be removed after hazardous energy is isolated from the machine. The use of multiple keys ensures that multiple sources of hazardous energy are removed or that a specific sequence of events must happen.

10.1     Access Control

One use of trapped keys is controlling access to hazardous areas. Trapped keys are not a substitute for lockout/tagout (see 10.3).

Once hazardous energy has been removed then the primary key may be used to allow access to the safeguarded area. If the safeguarded area requires full-body access, then a personnel safety key must be obtained prior to entering the safeguarded area. Personnel safety keys are released when the primary key (obtained when isolating hazardous energy) is used to unlock access to the safeguarded area. The personnel safety key must be kept in the control of the person entering the safeguarded area at all times. Specific personnel policies will prohibit personnel from entering a safeguarded area without a personnel safety key. Without all the personnel safety keys being returned it is impossible to remove the primary key and thus restarting the hazard is prevented.

The only way to restore the source of hazardous energy is by returning all personnel safety keys, locking the safeguarded area, and returning the primary key.

Since the only way to obtain the key to gain entry to a safeguarded area is to remove hazardous energy, it removes the possibility of personnel entering a safeguarded area without first removing hazardous energy from the system. This provides a measure of safety even if personnel are not following proper lockout/tagout procedures.

Figure 10‑1 Example Trapped Key Scenario

In the above figure (Figure 10‑1) to access the cable wrap chamber, personnel must remove key AA from the maintenance panel, disabling Enclosure Carousel motion. They insert key AA in a key exchange unit which releases three identical keys BA. Using one key BA, the access to the cable wrap chamber is unlocked and two personnel safety keys CA are released which are taken by personnel entering the cable wrap chamber.

Without these keys being returned to their proper place, Enclosure Carousel motion cannot be restarted. If other personnel desire to access the catwalk or service ring, they retrieve a BA key and can then unlock those areas. Without all thee BA keys returned, key AA cannot be removed from the key exchange unit and Enclosure Carousel motion cannot be re-enabled.

10.2     System Interlocking

Trapped keys can also be used to disable certain hazardous motions to allow other activities to be undertaken. One such example is the use of the bridge and jib cranes. Motion of the telescope and carousel should be prevented during use of the cranes to avoid interferences.

10.3     OSHA Lockout/Tagout

"Lockout/Tagout (LOTO)" refers to specific practices and procedures to safeguard employees from the unexpected energization or startup of machines or equipment, or the release of hazardous energy during service or maintenance activities.

OSHA has provided a specific interpretation regarding using circuit control systems such as a PLC as an alternative measure to lockout/tagout. Circuit control systems, such as a PLC system are not energy isolating devices as defined by §1910.147(b). A PLC system may be used only to protect employees who are performing minor tool changes and adjustments, and other minor servicing activities that take place during normal production operations and are routine, repetitive, and integral to the use of the equipment for production.

11             System Interconnects

11.1     Power Requirements

The entire GIS, (GIC, LIC, network switches, and distributed I/O) will be connected to facility UPS power. The UPS will provide backup power until the facility motor-generator can provide backup power.

11.2     Coolant Requirements

Components of the GIS located in thermally sensitive areas shall be placed in thermally controlled enclosures unless the total of those components are less than 20 watts thermal dissipation.

Appendix A   GIS configuration